Cybersecurity: A Strategic Issue for Companies
In August 2022, the Corbeil-Essonnes hospital was the victim of a cyber attack that rendered all corporate software, storage systems, and the admissions management system inaccessible. This major attack slowed down the hospital’s operations, forcing it to function on a reduced scale for several weeks and transfer its most vulnerable patients to other hospitals. Fortunately, no lives were lost, but the repercussions of this cyber attack are still concerning. This is not the first attack of this type – other medical facilities are frequently targeted – and it certainly won’t be the last. Cyber attacks have been steadily increasing at an unprecedented rate for some years.
Companies are no exception to this trend and are the targets of more and more harmful cyber attacks. They have to adapt to avoid the often-serious consequences associated with these threats.
With the emergence of digitization, cloud security now needs to be a vital part of every company’s digital strategy. Cloud security is a set of methods and technologies companies can use to deal with security risks. Companies must ensure the security of their cloud-based data and services. Numerous factors, including infrastructure, data, physical security, identity and access management, preventative testing, and tools, must be considered to guarantee cloud security. That’s why Cellenza experts are giving you never-before-seen content all through the month of October as part of Cloud Security Month.
Cybersecurity: Numbers Are on the Rise
According to the 2022 Corporate Cybersecurity Barometer published by CESIN, 54% of French businesses will have been the target of a cyber attack in 2021. Over half of those will have experienced anywhere from one to three attacks, significantly impacting their operations. Since this figure does not include attempted attacks, the actual number is likely substantially higher. According to cybersecurity experts, “100% of companies have been attacked: they have either actually been attacked, or they don’t know it yet.”
The severity of the attacks is also rising; 60% of the targeted businesses have suffered a negative impact on their operations, according to CESIN.
The French National Cybersecurity Agency, ANSSI, also notes a 255 percent increase in ransomware attacks (malicious software that holds the system or data hostage) in 2020. This trend is expected to keep rising rapidly over the next few years.
Cyber Attacks: What Are the Effects for Businesses?
Cyber attacks have far-reaching and often disastrous repercussions for the companies that fall victim to them. These include:
- Data theft or loss
- Suspension of access to essential business software, leading to a slowdown or complete halt in operations as a result of system paralysis
- Damage to reputation and brand image
- Commercial damage (if strategic data is disclosed)
- Financial loss
It is estimated that a company hit by an attack loses 25% of its yearly revenue. Worse still, a staggering 60% of small and medium-sized enterprise (SME) victims do not survive and declare bankruptcy within 18 months following the attack.
Cyber attacks can also have long-lasting effects. This occurs, for instance, when a data breach damages a company’s reputation among its customers. Customers will become wary, and it may take years to regain their trust.
Three Major Challenges
Even though it is impossible to avoid attacks, companies must take steps to prevent them. A preventive strategy that focuses on these three main areas:
- Regulatory compliance: companies have regulatory obligations to make their information system (IS) and data more secure, depending on their status and activity. For instance, the French Military Programming Act stipulates that companies classified as Operators of Essential Services (OESs) must adhere to its requirements. Similarly, all French companies must comply with the General Data Protection Regulation (GDPR), which imposes strict rules about protecting personal information.
- Data protection: data is regarded as “the gold of the 21st” This makes it a prime target for cybercriminals, just like any other valuable commodity. Whether personal or business data, which is frequently sensitive, extra vigilance is required both while it is stored and when it is transferred. It is, therefore, imperative for businesses to take the necessary precautions and secure their data.
- Ensuring hardware and application availability: the third key issue in cybersecurity is software and hardware protection, which requires special attention. Faced with increasingly sophisticated attacks, businesses must anticipate and implement methods to safeguard their infrastructure and software to avoid partial or complete unavailability, which would limit or even prevent operations.
How to Protect Yourself from Cyber Attacks?
While it is impossible to prevent cyber attacks, they can be successfully defeated by implementing adequate countermeasures. There are several methods for combating cybercrime, and none of them should be overlooked:
- Implement sound cybersecurity governance: cyber risk has emerged as one of the most significant threats to modern businesses. Therefore, it makes sense to establish security governance to define the rules relevant to cybersecurity, the responsibilities of the many stakeholders, and the various controls to be implemented. Governance is responsible for implementing the company’s security strategy and determining which measures are to be adopted to keep the IS secure.
- Conduct a risk audit: an internal audit is the cornerstone of every anti-cybercrime policy. What are the potential risks? What current safeguards are in place? What are the risk-reduction recommendations? These are the questions that the auditor will need to answer. It is possible to do this audit in-house, especially in small businesses, but it is better to hire an external auditor who is more likely to be objective and impartial.
- Implement IT solutions: with the proliferation of cloud computing in recent years, it is vital to ensure software and hardware security. IT tools and solutions have been developed to provide a secure solution. Their implementation requires a certain expertise: how to choose the right solutions? How to deploy them? How to maintain them over time? It is advisable to enlist the help of IT security experts to implement these solutions and improve the skills of internal teams so that they are sufficiently well trained to keep the solutions running.
- Raise employee awareness: There is no doubt that people remain the weakest link in cybersecurity. According to CESIN, phishing is the primary means of access for 73% of attacked firms. Cybercriminals are not naive and deliberately target large numbers of individuals to infiltrate a company’s IS. There is only one way to combat this phenomenon: prevention. Regardless of firm size or industry, every employee must be aware of cybersecurity and best practices.
How Can You Raise Your Teams’ Awareness of Cybersecurity?
As a result of the Covid health crisis, there has been a massive increase in people working from home. This has led to a rise in the number of attacks targeting individuals. According to estimates, nearly half of all telecommuters have been duped by a phishing attempt. As a result, all employees must be aware of the risks to ensure a company’s security.
The IT department must decide on awareness-raising initiatives to ensure the best possible protection for the risks involved.
Although some departments, like HR, Finance, and Communication, are more at risk than others because of how they interact with the outside world due to the nature of their work, it is essential to raise awareness among all employees.
Multi-Channel Campaigns to Spread Messages
Cyber risk information campaigns need to be organized within the company regularly, across different channels, to reach the broadest possible audience. There are several methods for communicating about cybersecurity internally:
- Poster campaigns: posters can effectively spread messages about prevention in businesses with physical locations. Posters should be displayed in high-traffic areas such as the entrance hall, cafeterias, and copy rooms.
- Via email or company newsletter: companies can use a variety of internal communication channels. Sending regular emails or internal newsletters is an excellent way to get the message out to everyone, especially when employees are working from home. But there is a catch: the overwhelming number of emails people receive daily means that these informational messages are often put to one side. As a result, it’s vital that they are correctly planned and spaced out and that each message is composed with care.
- Brochure/fact sheet: in large companies or ones with strict security rules, it can be helpful to give each employee a hard copy document that summarizes best practices. Printed fact sheets can be placed near workstations so they are always accessible. There is a digital risk awareness kit available at cybermalveillance.gouv.fr (download the free digital risk awareness kit).
- Videos: video is another popular medium for spreading awareness messages. Videos may be shared with staff via email, the company intranet, or even internal video screens in companies that have them. The ANSSI publishes a number of videos, but you can also hire specialist agencies to produce customized videos for your business.
- Conferences/webinars/workshops: expert talks on cybersecurity are an effective way to raise team awareness. They also provide an opportunity for employees to raise questions and receive clear answers. There may be costs involved in this option (calling a staff meeting, paying for a guest speaker, reserving a venue, etc.), but the messages will be delivered effectively to the employees who attend.
- Phishing simulation: more and more companies are setting up fake phishing campaigns to test the awareness levels of their employees. Employees are sent fake emails about various topics, such as vacations, bonuses, invitations to team parties, tickets to works council meetings, etc. Thanks to a dedicated platform, it is then possible to find out how many people opened the email, clicked on a link, filled in personal information, downloaded an attachment, etc. The results of these tests are a useful way of gauging the awareness level across all teams and, if needed, to setting up new initiatives to build on their knowledge of best practices.
Cloud Security: A Comprehensive Guide
Employee awareness is a crucial element of corporate security, but it is not enough on its own. The security of IT solutions, and especially the Cloud, cannot be ignored.
Throughout the month of October, we will be releasing a series of articles focused on cloud security :
Looking for help with cloud security? Find out more about the cloud security services we provide or contact us!